Thursday, December 31, 2009

We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back!

I'm on vacation today, so I was actually alerted to the story by a friend twittering this SC Magazine story. Vacation or not, that was worth checking into. I took a dip into the UAB Spam Data Mine looking for domain names associated with this version of the malware.

We've seen more than sixty different Subject lines used by the spam:

2010 New Year Wishes! A Great 2010! A Happy New Year! A New Year e-card is waiting for you A special card just for you Greeting Card from Santa Greeting for you! Greeting you with heartiest New Year wishes. Greetings from Santa Happy 2010 To U! Happy 2010! Happy New Year 2010! Happy New Year greetings e-card is waiting for you Happy New Year greetings for you Happy New Year greetings from your friend Happy New Year To U! Happy New Year Wish! Happy New Year wishes just for you Happy New Year Wishes! Happy New Year! Happy, Happy New Year! Have a funfilled and blasting NewYear! Have a Great New Year! Have a happy and colorful New Year! Have a Happy New Year! Have a very Happy New Year! I made an Ecard for U! I sent you the ecard l want to share Greeting with you New Year 2010 Ecard Special Delivery New Year 2010 greetings for you New Year 2010! New Year Cheers! New Year E-card for you New Year Ecard Notification New Year Wishes! Regards from Santa Santa has sent you a digital postcard! Santa has sent you a greeting card! Santa has sent you a Happy New Year E-Card! Santa has sent you a New Year E-Card! Santa has sent you a New Year greeting card! Santa has sent you an E-Card! Santa has sent you an ecard! Santa has something to show you! Santa sent you New Year Greetings Santa sent you a Greeting! Santa sent you New Year Wishes! Santa wishes you a Happy New Year Sparkling wishes on the New Year! Special New Year Wish for you. Warmest Wishes For New Year! Welcome 2010! Wishing you a Happy New Year! Wishing you the Best New Year! You have a greeting card You have a New Year Greeting! You Have An E-card Waiting For You! You have received a greetings card You Received an Ecard. You've got a Happy New Year Greeting Card! You've got a New Year card! You've got an E-card

Each domain can be used with any subject, and with any of the following paths:

These domains are of course registered at China Springboard Inc. On each domain name, you can click the name to see the Waledac Tracker report by our friend Jeremy at SudoSecure in Huntsville. Some of these domain names have as many 12,000 entries in his Waledac Tracker!

gumentha.com/counter.php - this actually causes a download from biozcgicfziy.com/nte/TREST1.php

gumentha.com/in2.php - this one causes a download from domoktov.com/bu1/ - (you'll be shocked to learn that domain is registered to someone in St. Petersburg, Russia . . .one Denis Sergunkin already known to be hosting Fragus Exploit kits on other domains of his, such as 1tomohappy.com and funky-soft2.com)

purgand.com/in5.php - this one also hits domoktov.com/bu1/

aweleon.com/ghost.php - that one ALSO hits domoktov.com. So, Denis? are you paying the Waledac gang? or ARE you the Waledac gang?

This time around the Waledac domains are hosted using Fast Flux, and they are also using Fast Flux for the Nameservers. As we've discussed before, this means that the addresses of the compromised computers are entered into the nameserver records as the host addresses for the malware domains. In other words, getting infected makes your computer spread the infection. So far we've seen more than 1500 computers being used by the malware in this way.

I'll load up a Virtual Machine in a bit to evaluate the actual malware.

Facebook Zbot Still Spreading

We're also seeing an on-going fake Facebook update, which is the Zeus bot. Here are the 45 domains we've seen in the UAB Spam Data Mine so far this morning:

Saturday, December 26, 2009

As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share back with our readers what stories were most interesting to them, based on the traffic that was created to the blog. We'll do two more "Year in Review" stories, one focused on social computing threats, and one focused on the year's "Cyberwar" stories.

First I wanted to mention that in 2009, pageviews to the blog went up by about 74% over 2008. Although I had hoped for 200,000 pageviews this year, we fell a bit shy of the mark. As of December 26th, we've had 125,983 unique visitors bring us 192,409 pageviews in 150,722 visits.

Google was the primary way that people found our stories, and I am grateful to the folks at Google for hosting the blog again this year. After Google, the #2 referrer to the site was Facebook. Its nice to see people on Facebook warning each other about security risks and sharing links to the blog with each other. #3 was Twitter. Although I have a bit more than 550 followers on Twitter, its also been nice to see a large number of retweets with links back to the blog. Thanks to all the Facebookers and Twitterers who have been sharing our stories with their friends and followers.

2009 Top Stories by Readership

1. Webmasters Targeted by CPanel Phish - many hosting companies and webmaster organizations helped spread the word about this unique phishing attack that wasn't trying to steal banking passwords, but rather webmaster passwords. The goal of the attack was to compromise the login credentials that allow webmasters to change their webpages, which is exactly what we've been seeing this week. Thousands of accounts being taken over so that their webpages could be injected with malicious iframes to compromise visitors to existing websites with a "clean" history.

2. Fake FDIC spam campaign spreads Zeus malware - one of the most prevalent ways to steal identities this year was to begin with a broadly targeted social engineering scare which enticed visitors to click links that would lead to malware. In this case, the spam warned "Your bank has failed!" and provided a link to your "personalized FDIC report" to determine if your deposits were covered by insurance.

3. Computer Virus Masquerades as Obama - despite being a November 2008 story, websurfers continued to follow links to our story about malware being distributed in links that claimed to be messages from our President.

4. DownAdUp, Conflicker, Conficker whatever you want to call it, this worm drew tons of attention from January until March. Then, after what most consider an April 1st "flop", the worm got very little media attention. This is largely because of the successful efforts of the Conficker Working Group which has worked behind the scenes to keep the malware at bay and to warn network operators. Most don't realize that there are still more than 6 million Conficker-infected computers in the world.

8. One on-going trend that we've seen was covered in our story Carders Do Battle Through Spam. These battles, which I call "pigeon fights", involve a spammer sending out false and very criminal accusations against another online criminal group. In this case, there was a bit of truth, as the spam claimed that carder.su sells illegal credit cards, while in other cases they may be accused of terrorism, child pornography, or human traficking. The goal seems to be to get enough law-abiding citizens to report the horrible spam they got to focus law enforcement attention on a competitor.

9. Its nice to be able to share good news in our blog, and the best kind of news is when cyber criminals get arrested. Our story The FBI's Biggest Domestic Phishing Bust Ever covered Operation: Phish Phry, where more than 50 Americans and a number of Egyptians were arrested as part of an international phishing conspiracy that had stolen funds from more than 5,000 American bank accounts.

10. Our next largest story was the coverage we offered to a Spam Crisis in China. That one is not over yet, but a major step forward was accomplished this month when CN-NIC announced new rules on domain registrations. We'll be reviewing the results of these rules, which limit the fraudulent use of ".cn" domains, to determine what impact the changes are having on spam so far.

* - I continue to be contacted daily by people who have been hit by a Traveler Scam claiming a stranded friend needs money. Most of these are Nigerian account takeovers of Hotmail, Live.com, and Yahoo email addresses which are then used to email all the friends found in the address book.

Thanks to Those who Link to our Stories . . .

We've had some faithful friends who have been kind enough to mention the blog. I probably should have run this as a separate story at Thanksgiving time, but for all of you listed below, Thank You! Whether you are security experts, journalists, or fellow bloggers, I am happy to count us all on the same team.

the Internet Storm Center at SANS has linked stories several times from their Handlers Diary. These selfless individuals donate their time to track emerging threats and from time to time share stories from this blog with their readers. They have an enormous readership based on the impact to this blog when one of our stories is mentioned there. Traffic-wise, it is better to show up in the SANS ISC Diary than to be Slash-Dotted!

Brian Krebs of the Washington Post continues to be the most influential journalist in the Internet Security space and has been kind enough to mention our stories on several occasions in 2009. His legendary leadership in the McColo campaign has changed the way the world looks at evil web hosting, but his constant awareness of what's happening in cybercrime has also kept him at the forefront of investigative journalism in our space. I can't wait to see what Brian does in 2010!

UAB's Computer & Information Sciences department has also driven considerable traffic to the blog - and not just from my students! Our unique offering of a certificate in Computer Forensics that combines the disciplines from Criminal Justice, Forensic Science, and Computer Science is gaining popularity as the correct approach to preparing cybercrime investigators for their career.

The Composite Blocking List sent us traffic all year long, but mostly from a single story, which was their definitive coverage of the effects of the McColo shutdown on spam. Using a blocklist like the CBL, SpamHaus SBL, or SURBL is highly recommended anti-spam practice.

Ryan Naraine and Dancho Danchev should be on every security person's Google Reader list. With a nice mix of straight security and cybercrime, the consistency and quality of this blog drives a lot of traffic when we get a nod from them.

Security.NL is one of the most consistent referrers to the blog and drives a lot of traffic our way. Last year they linked to our blog thirty separate times! Since I don't speak Dutch, I can only hope that a "beveiligingsexpert" is a good thing, because they say I am one! Thanks for making sure our friends in the Netherlands are on top of cybercrime and security issues!

IDG's Robert McMillan also is a journalist who is breaking an enormous number of cybercrime stories, although its harder to quantify the number of referrals from his blogs because they show up as links from PC World, ComputerWorld, Network World, Linuxworld, CIO, CSO, InfoWorld, and the foreign language versions of so many of those as well. Bob is another hard-working cyber security journalist who often exposes me to new stories that end up being covered in this blog. Thanks, Bob!

The Register also continues to break stories regularly on cybercrime issues, and has frequently sent traffic our way - especially in stories from Dan Goodin and John Leyden.

SC Magazine continues to grow in popularity and influence as well, and we've been favored by mention several times this year from Dan Kaplan. He's a journalist well worth following! It was also great to work with their editor, Illena Armstrong, on the SC 24/7 Virtual Symposium on botnets.

The second page asks visitors to provide 100 three-digit numbers which are used as a fraud prevention mechanism by the bank. In normal usage, visitors to the bank are prompted with an X and Y coordinate, like "A7", and will add to their password the three digit number that is found on that position on their card. Each banking customer has their own unique card. The phisher here can't use their userid and password unless they also have the card information, so they are asking for THE ENTIRE CARD!

But what else can we learn by looking at Passive DNS?

As with all of the "Avalanche family" of phishing and malware sites, the site is hosted via Fast Flux. That is, infected personal computers around the world have malware on them which allows the criminal to point his Nameserver settings to these compromised home computers. When someone clicks on the spam message, they are directed not to the criminal's webserver, but to one of these compromised home computers.

The Fast Flux phrase refers to the fact that the criminal constantly updates his nameservers to rotate the hosting of the spammed hostname across many hundreds of bots.

When we investigate one of those IP addresses, we find that the same Fast Flux hosts were found to also be hosting the Visa.com Zeus malware distribution sites that we've discussed earlier, and also a "United Bankers Association" site.

We can still see the UBA version, and find many samples of it in the UAB Spam Data Mine, such as these:

The bank you have an account in, is declared bankrupt. Learn How to Save your Money: >link<

Subjects for this spam include:

A message for the owner of ******** bank account.A new back is declared bankrupt.Bankrputcy declaration.

Yeah, it really says "back" instead of "bank" and really uses "********" in the subject line.

The sites we found sharing Fast Flux hosting with the BBVA campaign include:

This site doesn't provide ANY information about the so-called bankruptcy of "your bank", but it does tell you you have to upgrade your Adobe Macromedia Flash Player:

The malware distributed there, called "flashinstaller.exe" is binary identical to the current fake Visa malware, "cardstatement.exe". A VirusTotal Report shows 13 of 41 anti-virus products currently detecting the malware.

Monday, December 21, 2009

There are at least forty domains seen in today's spam. Please see the story above for more on the URL pattern, (the machine name may begin with "alerts", "reports", "statements", "transactions", or a "sessionid" with random characters after the "sessionid" version, but here is one sample URL for each domain:

Its too early to know for sure what malware this is, because currently only 4 of the 41 anti-virus products at VirusTotal detect it as anything at all. Sunbelt calls it Bredolab, the three others all say only that it is "suspicious". I'll try to run it through our malware VM later today and make a more definite judgement.

One example would be the spam messages for this "spaces.live.com" blog:

http://cid-3d8eb92dd2d67dba.spaces.live.com/

which leads to the website "biznews7.org", which forwards to the website "news2010letter.com", which recruits people to join the scam by sharing their credit card number on the site "http://www.safetrialoffers.com/searchsecretsystems/le5/".

On that site, the same scam is still being run by this organization:

Search 4 Profit, LLC.7614 Arvilla Avenue.Sun Valley, CA 91352

The Fine Print still reads:

Terms and Disclosures. Billing authorization obtained pursuant to the Uniform Electronic Transaction Act and the Electronic Signatures in Global and National Transactions Act. By submitting this form, I am ordering Search Secret Systems for a 7-day bonus period for $1.97 billed to my credit Card; If you enjoy Search Secret Systems, simply do nothing. On the 7th day my credit card will automatically be charged an easy payment of $89.26 once a month for three months. After the three months you will not be billed again. You will then maintain unlimited access to our member site. During your three month program you may cancel anytime by calling 1-877-361-8622 M - F, 8am-8pm MST.

Amazingly, the phone number was answered and a person actually asked how they could help me! When we wrote the first article, the phone rang and rang, but no one ever answered.

Of course, there are still quite a few ways this is illegal, even if they do now answer the phone, including the CAN SPAM violations. The email "from" address is forged and there is no "unsubscribe" link of any sort, nor is there a physical mailing address, despite this being a commercial offer. Here's an example spam message:

Never work in an office again! I've been working for someone else my entire life. A few weeks ago I found out about working for Google online so I decided to check it out. I signed up and read a few articles and tried a few different things and within 6 weeks I was making enough to quit my full time job to work at home! If this sounds like something that interests your, check out URLhttp://profiles.yahoo.com/blog/MVO2GFP4W7AEJ42YOXCPAVOTU4A song, a song, high above the trees

Work for the world's largest employer today lori has Earned $2,069 This December Alone! Check it out here:http://cid-5ccbbcb19ba7028f.spaces.live.comO tidings of comfort and joy.

Friday, December 18, 2009

#1 Search on Google in the past hour: "Iranian Cyber Army"#2 Search on Google in the past hour: "Twitter hacked"

What do these things have to do with each other?

A formerly unknown group, the Iranian Cyber Army, was able to redirect the DNS for Twitter, causing all visitors to be temporarily redirected to another IP address, not belonging to Twitter, and sharing the message from the Iranian Cyber Army that they are cooler hackers than you.

Since we do actually track website defacers at UAB, and since we've never heard of the Iranian Cyber Army, we thought we would take a quick peek in our favorite Iranian hacker rooms to see who was boasting of their conquest.

First we found "vhdmsm" sharing details of the attack in the Iranian Hacker Forum, Ashiyane Digital Security.

They quote the defacement:

========================

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care

=====================and post links to the Twitter Blog entry about the attack, and a CNET news story.

But there is no indication they were themselves involved.

We're going to need some more evidence. Perhaps someone should be talking to the folks at BlueHost this morning.

See for yourself?

A little twiddling with various DNS Caching systems, and we were able to find the IP address to which traffic had been redirected:

66.147.244.182

There are some interesting domains there, including:

http://mowjcamp.net/

That site is interesting, because its on Bluehost, in the United States.

which currently shows content made from these graphic files (I've moved them to a more permanent location...just in case):

In my opinion, it looks like that server was compromised via WordPress vulnerabilities, but that is just an educated guess based on content at this time. So, it looks like the hacker first hacked one of the sites on the Bluehost box, other mowjcamp.org, wpcrowd.com, or coventryri.com, then redirected all the twitter traffic to that IP by changing the Nameserver entries for Twitter to point away from their normal Google-provided IP addresses to 66.147.242.88 instead.

Tuesday, December 15, 2009

Big news from China with regards to their domain name registration policies.

Readers of the blog know that I have regularly complained about criminals from around the world abusing the services of Chinese domain name registration companies. We have also commented on the practice of "bullet-proof hosting", for instance in our story Spam Crisis in China.

I am happy to report that the fine people at the China Internet Network Information Center (CNNIC) have taken action to address this situation!

Thanks to Robert McMillan from IDG for giving me the Twitter tip-off on this story!

China barred individuals from applying for Chinese domain names, ending with .cn, from yesterday as part of a national campaign against pornographic content spread online, the industry regulator said.

Applicants for domain name registration are required to hand in written application forms, with a business license and the applicant's identity card, according to the China Internet Network Information Center (CNNIC).

The new application system will help the CNNIC better regulate the Internet environment in the country and crack down on improper content online, experts said.

1) they must prominently display a link to the Ministry of Industry and Information Technolgoy along with their MIIT approval number to do business in this area.

2) they must prominently display information on how to make a domain name registration complaint to the CNNIC, including their email, telephone, and fax number for CNNIC.

In their own version of security through journalism (the term we use in the US is called "Krebsing"), CNNIC revealed in their letter of December 10th that further changes would be coming as a result of a television documentary on the CCTV program "Focus" and other media reports that indicated that criminals using false information were registering websites to carry out illegal activities. They announced in their open letter, On the strengthening of domain name registration service management, that changes would be coming to crack down on "pornographic websites", stating that "CNNIC has a duty to the country as the domain name registration authroity to take responsibility to stop this illegal activity."

As part of this letter, they announce that "in the face of rampant phishing, they have joined the internet community to establish an "anti-phishing website union" more than a year ago, and in the previous year have shut down more than 8,000 phishing websites to protect the public interest."

As part of their plans, the CNNIC has pledged to shutdown companies performing registrations for illegal activities, and to enhance their manpower and resources to address complaints more rapidly. They have also provided a 24 hour Customer Service Telephone number and an email that can be used to report illegal domain activity:

An announcement followed also on December 10th, With regard to domain name registration: Information to carry out notification of special treatment. In this announcement the rule was made that any domain name must contain "true, accurate and complete domain name registration information" and that any domain name registration that was untrue, inaccurate, or incomplete would result in the domain name being terminated. This new ruling specifically extends to previously registered domains as well - any previously registered domain reported to have false registration information is to be cancelled within five days. Any agents acting on behalf of the registration company (the phrase is "lower-level agents" - I believe this specifically refers to resellers) are also to be held to these requirements.

- a copy of the registration application stamped with the official seal of the applicant - a copy of the enterprise business license - optionally, an organization certificate (for non-businesses) - a photocopy of the applicant's identity paperwork

The announcement state that the Domain Name Registration Service must then carefully examine the written materials and send a copy to CNNIC.

The online registration is allowed to proceed in realtime, but if the written materials are not received within five days, the domain name must be canceled.

We will anxiously await measurement of the results of this new policy. There are several news stories referring to particular registration companies being banned from future .cn registration until they come into compliance. According to John Leyden's article Chinese domain crackdown targets smut sites these include:

Saturday, December 12, 2009

I guess the UAB Spam Data Mine is having a bad day! Our VISA card is being used in Kuwait!

Dear VISA card holder,

A recent review of your transaction history determined that your card was used at an ATM located in Kuwait, but for security reasons the requested transaction was refused.Please carefully review electronic report for your VISA card

We've seen the malware spammed on 118 different domain names since the start of the campaign, with more than 17,000 copies of the spam received in the UAB Spam Data Mine. In front of the domain name are several possible prefixes:

-- --------------------------------------------------------============================The guys at MaxMind will be excited to know that these criminals are customers of theirs for Geocoding the locations of their infected bots.

The creators of the "FSPACK" malware engine will also be proud to count these guys as customers.

It looks like we've got four exploits that are going to try to run when we visit, if you can trust the loader. RDS.DataSpace is OLD, like MS06-014. A note on SecurityFocus in 2007 says that the MPack Hacker Tool uses it. Apparently the FSPack hacker tool does too!

Wednesday, December 09, 2009

I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by creating new accounts in all those places and then spamming those URLs. They then second-phase scammed by claiming that you were entering a "$1.95 trial", which actually could cost more than $200 and had no way to exit, since no one ever answers the phone number you have to call to "cancel your trial". (see Google Jobs Scam: Read the Fine Print

Several sources are reporting that Google has now filed suit against the parent company of this scam, Pacific WebWorks. I first heard about it from Graham Cluley's Sophos Blog, but went on to find Google's report.

As Solomon said, "What has been will be again, what has been done will be done again; there is nothing new under the sun." (Ecclesiastes 1:9) Today we have another round of the "Facebook Update Tool" which we actually blogged about on October 28th (See Facebook Phish: Users Beware! and on November 28th (See Beware Weekend Facebook Scam.

The path has changed since the last go-round, with two different URL patterns being used:

All of the "Facebook Password Reset Confirmation" are emails with a '.zip' attachment intended to infect with Bredolab. These were covered in Yesterday's blog entry: Ongoing Badness: AmEx, Facebook and .CN. The Zeus / Zbot infector is in the campaign represented by the bottom three subjects on the list. With 189,301 messages received so far this early morning, that puts the Facebook Zeus at .9% of our email volume for this morning, and the Facebook Bredolab at 2% of our email volume for this morning. Let's be generous and say that 3% of all of our spam this morning is using a Facebook scam to try to infect us with malware.

For comparison, here are the top Facebook spam subjects for yesterday:

By the 24 hour clock, yesterday we received 917,872 spam email messages, so 1.2% of yesterday's entire spam volume was Bredolab infectors, and .7% of yesterday's entire spam volume was Facebook Zeus / Zbot, or roughly 2% of all spam for the day, although that's not really fair since Facebook Zeus started so late in the day.

Here's an example of the email body:

Dear Facebook user,

In an effort to make your online experience safer and more enjoyable, Facebook will be implementing a new login system that will affect all Facebook users. These changes will offer new features and increased account security.Before you are able to use the new login system, you will be required to update your account.

Despite the wide popularity of this on-going scam, it also calls into question the validity of traditional anti-virus solutions. Any signature-based malware solution is going to be challenged by rapidly changing malware such as these Zbot infectors. This morning's version of the malware is currently detected by only 9 of 41 anti-virus solutions as reported by this VirusTotal report.

Security suites which include website blocking fare much better, protecting their customers not by knowing this virus, but by recognizing that the website is offensive. For instance, I am using the McAfee Site Advisor plug-in for Firefox, which recognized this site as offensive. The Google SafeBrowsing list used by Firefox also knows these are offensive sites, and TrendMicro's "Smart Protection Network" performs a similar function for their customers. When selecting an anti-virus solution, make sure that they are also proactively blocking websites known to distribute malware. Even when the criminal shifts to a new virus definition, the fact that these websites are known to be bad will prevent the malware from being downloaded.

This campaign has an attached ZIP file, with the most popular attachment name this morning being:

Facebook_Password_58688.zip

That file is recognized by 18 of 41 AV products according to this VirusTotal Report which finds the most popular definition names to be of the Bredolab family of malware.

We've been seeing Bredolab, primarily as fake package delivery notices, for some time this fall. We mentioned it back on October 2 as the second story in Cyber Security Awareness Day Two, but its been a near constant presence since that time.

Here's a sample email body:

Hey gar ,

Because of the measures taken to provide safety to our clients, your password has been changed.You can find your new password in attached document.

Thanks,Your Facebook.

The attachment had these characteristics:File size: 17223 bytesMD5 : 632c33ddd8ad8fe9ba317fa441ff4540

More BredoLab - DHL Services

There is also a DHL services version that continues to be heavily spammed this morning:

Subject: DHL Services. Please get your parcel NR.42246

Each email has a randomly generated parcel number, but we've seen more than 1,000 copies of this spam already this morning as well, with messages that look like this:

Dear customer!

The courier company was not able to deliver your parcel by your address.Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!The shipping label is attached to this e-mail. Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you, DHL Express Services.

The ZIP file attached to this email is also Bredolab according to this VirusTotal report, which showed a 20 of 41 detection rate.

File size: 17904 bytesMD5 : f6fc6ffbd0be0c0b0d8b702b5b47d571

Climate Change?

We wondered if the Climate Change Summit would end up being used as a spam bait, but so far its only being used as yet another lame way to deliver Viagra messages.

The Subjects:

Act now on climate, summit urgedWhat are your hopes for climate summit?

Are only two of many pathetic news headline attempts to get people to visit chinese domain names to see their Canadian pharmacy ads. Other headlines for this particular spammer include:

23,607 of these emails were from this particular Canadian Pharmacy group, which gives us 10% of all our emails - before we put in the subjects which use email addresses and random character insertion.

If we look at the top domains that we saw so far this morning (6:30 AM) after the huge amounts of spam for x10 cameras (www.x10.com) and some other Chinese hosted but not Chinese named spam domains, (medztochoosefrom.net, drugsquentin25.net) most of the top ten spammed domains are Chinese pill seller domains:

where (targeted hosting company) can be:locaweb.com.brnow.cn4shared.com50webs.combluehost.comearthlink.comgithub.comgodaddy.comhomestead.comhostalia.comhostgator.comhostmonster.comixwebhosting.comjeeran.comlunarpages.commediafire.commozy.comnamecheap.comnetfirms.comnetworksolutions.compair.compowweb.comqwest.comregister.comresellerclub.comsiteground.comsitesell.comsoftlayer.comsquarespace.comstartlogic.comt35.comtheplanet.comucoz.comvendio.comvolusion.comweb.comwebhost4life.comwebhostingpad.comwest263.comx10hosting.comyahoo.com35.combravehost.comdreamhost.comenom.comfatcow.comkrypt.commidphase.comone.comxlhost.com000webhost.comall-inkl.comangelfire.combravenet.comfreeservers.comfreewebs.comipower.comjusthost.comleaseweb.compingdom.comrackspace.comzerolag.comarabstart.comawardspace.comfortunecity.comfreehostia.comdynadot.compueblo.czarcor.defunpic.dehosteurope.deohost.de1und1.deserver4you.destrato.deusenext.dearuba.itisimtescil.netmasterweb.netovh.netspeakeasy.netaplus.netmediatemple.nethome.plnazwa.plmasterhost.ru123-reg.co.uk1and1.co.ukoneandone.co.ukfasthosts.co.uknetbenefit.co.ukwebsite.ws

The URL contains your email address and the provider link. When you visit the page, this information is stored as part of the URL for "command_003.php". You can see what I mean in the layout below:

After providing the userid and password, your information is saved, and then you are forwarded to whatever hosting provider was specified in the "service=" tag. If you clicked on a web.com version of the email, you go to web.com. If you clicked on a yahoo.com version of the email, you go to yahoo.

If you are a webmaster and have received one of these emails, please be sure to contact your hosting provider to reset your passwords immediately, and review your pages to see what changes may have been made. If you learn what the bad guys are doing with your site, please drop me a note about it as well. (gar at uab dot edu)